don't let users comment on things they can't see

2022-10-07 03:22:07 -07:00 · 2022-10-07 03:22:07 -07:00 · 0627a12bc5
parent 48384ba8e5
commit 0627a12bc5
1 changed files with 1 additions and 0 deletions
--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@ -164,6 +164,7 @@ def comment(v):
 		if parent.author_id == v.id: rts = True
 	else: abort(400)
 	
+	if not parent.can_see(v): abort(404)
 	if parent.deleted_utc != 0: abort(404)

 	body = request.values.get("body", "").strip().replace('‎','')